Questions regarding SMTP sending security and possible security issues

MBLicenseManager

Asked on April 17, 2017 at 2:06 PM

We have had an SMTP configuration in place where JotForm sends mail via an authenticated session to a sendmail server we have located in New Jersey. We have been having problems where mail is no longer flowing threw to us and our server rejects the session due do failed credentials. After further detailed analysis we discovered something truly frightening. Each time we ask JotForm to send a test mail via a test form we created, it initiates a connection from the Amazon AWS cloud to us, only we then see a serious of different usernames and passwords being used to connect to us. The failed attempts appear to be coming from JotForm AWS cloud servers not other random servers on the Internet. This makes no sense since there is only one simple pair of credentials we have entered into JotForm for use. Everything seems like a dictionary attack on us coming from JotForm server IPs.
AIDAN

Replied on April 17, 2017 at 2:57 PM

Please note that what you described is how the "Test Email" button is expected to work, and those connections from Amazon AWS are from us.

We included a notice about this in our guide on setting up email notifications here: https://www.jotform.com/help/25-Setting-Up-Email-Notifications

Quoting from the guide above:

IMPORTANT NOTICE:

If you are trying to test the email alerts using " Test Email " button, please note that this will always send the email notification to the email address that is registered with your jotform account profile. Instead, you must make an actual submission on your live form to test the newly added recipient email address you are setting up in the form if different. Please refer to this guide for more information: How-to-properly-change-and-test-a-new-email-recipient-address.

In light of the above, please consider issuing a dummy/test submission in order to perform the tests you have in mind.

As to JotForm IPs, please see our list here in case you would like to perform some checks and comparisons with the IPs you logged: https://www.jotform.com/help/145-Whitelisting-JotMails-IP-Addresses

I hope this helps. If you need further assistance please let us know. Thank you.
MBLicenseManager

Replied on April 18, 2017 at 10:13 AM

We are not using the "Test Email" button. We "send a test mail via a test form we created" by clicking submit in the form we created. If those connections from Amazon AWS and they are you then why are you passing a "series of different usernames and passwords". In other words when we submit a form, JotForm connects to our SMTP server and authenticates with for example with an account named "janedoe" and password "12345678" where we have neither specified a username called "janedoe" or a password "12345678". This is bizarre behavior. It uses a random dictionary username and dictionary password once we click submit.
David JotForm Support

Replied on April 18, 2017 at 11:46 AM

I checked your email history and did not see any sending via SMTP. All the emails I checked were sent from noreply@formresponse.com, which is our email service. This would indeed connect using AWS. These may just be dummy usernames and passwords being sent as they don't match accounts on our services.
MBLicenseManager

Replied on April 20, 2017 at 11:35 AM

I tried some more tests today to no avail. I am using "jotform@mcgarrybowen.com" not "noreply@formresponse.com". Look at my screenshots. There is no immediate SMTP connection made after I click submit using a test form I created. I would expect to see a connection made from your end to ours port 25 at public ip 209.123.147.208 as soon as I hit submit but I don't. Instead after a few minutes I see a connection from 190.216.197.18. Is that an address of yours?

This is my mail log after hitting submit:

Apr 20 11:24:31 mbnjcolo06 sendmail[11037]: NOQUEUE: connect from c190216197-18.static.impsat.com.co [190.216.197.18] (may be forged)

Apr 20 11:24:31 mbnjcolo06 sendmail[11037]: AUTH: available mech=LOGIN PLAIN DIGEST-MD5, allowed mech=LOGIN PLAIN DIGEST-MD5 CRAM-MD5

Apr 20 11:24:31 mbnjcolo06 sendmail[11037]: v3KFOVOL011037: Milter: no active filter

Apr 20 11:24:31 mbnjcolo06 sendmail[11037]: v3KFOVOL011037: --- 220 my.mcgarrybowen.com ESMTP Sendmail 8.14.4/8.14.4; Thu, 20 Apr 2017 11:24:31 -0400

Apr 20 11:24:31 mbnjcolo06 sendmail[11037]: v3KFOVOL011037: <-- HELO my.mcgarrybowen.com

Apr 20 11:24:31 mbnjcolo06 sendmail[11037]: v3KFOVOL011037: --- 250 my.mcgarrybowen.com Hello c190216197-18.static.impsat.com.co [190.216.197.18] (may be forged), pleased to meet you

Apr 20 11:24:32 mbnjcolo06 sendmail[11037]: v3KFOVOL011037: <-- AUTH LOGIN

Apr 20 11:24:32 mbnjcolo06 sendmail[11037]: v3KFOVOL011037: --- 334 VXNlcm5hbWU6

Apr 20 11:24:32 mbnjcolo06 sendmail[11037]: v3KFOVOL011037: --- 334 UGFzc3dvcmQ6

Apr 20 11:24:32 mbnjcolo06 sendmail[11037]: v3KFOVOL011037: --- 535 5.7.0 authentication failed

Apr 20 11:24:32 mbnjcolo06 sendmail[11037]: v3KFOVOL011037: AUTH failure (LOGIN): user not found (-20) SASL(-13): user not found: checkpass failed, relay=c190216197-18.static.impsat.com.co [190.216.197.18] (may be forged)

Apr 20 11:24:32 mbnjcolo06 sendmail[11037]: v3KFOVOL011037: <-- QUIT

Apr 20 11:24:32 mbnjcolo06 sendmail[11037]: v3KFOVOL011037: --- 221 2.0.0 my.mcgarrybowen.com closing connection

Apr 20 11:24:32 mbnjcolo06 sendmail[11037]: v3KFOVOL011037: c190216197-18.static.impsat.com.co [190.216.197.18] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

This is a raw tcp dump showing all data passed in to us from public IP 190.216.197.18

[my.mcgarrybowen.com ~]# tcpdump -vv -s 1500 -x -X -i eth0 'port 25' -q

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes

11:24:31.640560 IP (tos 0x0, ttl 107, id 8967, offset 0, flags [DF], proto TCP (6), length 52)

c190216197-18.static.impsat.com.co.64085 > my.mcgarrybowen.com.smtp: tcp 0

0x0000: 4500 0034 2307 4000 6b06 59b7 bed8 c512 E..4#.@.k.Y.....

0x0010: ac10 630a fa55 0019 ed94 653e 0000 0000 ..c..U....e>....

0x0020: 8002 2000 6ec8 0000 0204 05b4 0103 0308 ....n...........

0x0030: 0101 0402 ....

11:24:31.640579 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)

my.mcgarrybowen.com.smtp > c190216197-18.static.impsat.com.co.64085: tcp 0

0x0000: 4500 0034 0000 4000 4006 a7be ac10 630a E..4..@.@.....c.

0x0010: bed8 c512 0019 fa55 d549 061d ed94 653f .......U.I....e?

0x0020: 8012 3908 7a49 0000 0204 05b4 0101 0402 ..9.zI..........

0x0030: 0103 0307 ....

11:24:31.729260 IP (tos 0x0, ttl 107, id 9156, offset 0, flags [DF], proto TCP (6), length 40)

c190216197-18.static.impsat.com.co.64085 > my.mcgarrybowen.com.smtp: tcp 0

0x0000: 4500 0028 23c4 4000 6b06 5906 bed8 c512 E..(#.@.k.Y.....

0x0010: ac10 630a fa55 0019 ed94 653f d549 061e ..c..U....e?.I..

0x0020: 5010 0201 f222 0000 0000 0000 0000 P...."........

11:24:31.771152 IP (tos 0x0, ttl 64, id 16433, offset 0, flags [DF], proto TCP (6), length 127)

my.mcgarrybowen.com.smtp > c190216197-18.static.impsat.com.co.64085: tcp 87

0x0000: 4500 007f 4031 4000 4006 6742 ac10 630a E...@1@.@.gB..c.

0x0010: bed8 c512 0019 fa55 d549 061e ed94 653f .......U.I....e?

0x0020: 5018 0073 9377 0000 3232 3020 6d79 2e6d P..s.w..220.my.m

0x0030: 6367 6172 7279 626f 7765 6e2e 636f 6d20 cgarrybowen.com.

0x0040: 4553 4d54 5020 5365 6e64 6d61 696c 2038 ESMTP.Sendmail.8

0x0050: 2e31 342e 342f 382e 3134 2e34 3b20 5468 .14.4/8.14.4;.Th

0x0060: 752c 2032 3020 4170 7220 3230 3137 2031 u,.20.Apr.2017.1

0x0070: 313a 3234 3a33 3120 2d30 3430 300d 0a 1:24:31.-0400..

11:24:31.936969 IP (tos 0x0, ttl 107, id 9621, offset 0, flags [DF], proto TCP (6), length 66)

c190216197-18.static.impsat.com.co.64085 > my.mcgarrybowen.com.smtp: tcp 26

0x0000: 4500 0042 2595 4000 6b06 571b bed8 c512 E..B%.@.k.W.....

0x0010: ac10 630a fa55 0019 ed94 653f d549 0675 ..c..U....e?.I.u

0x0020: 5018 0200 8320 0000 4845 4c4f 206d 792e P.......HELO.my.

0x0030: 6d63 6761 7272 7962 6f77 656e 2e63 6f6d mcgarrybowen.com

0x0040: 0d0a ..

11:24:31.936988 IP (tos 0x0, ttl 64, id 16434, offset 0, flags [DF], proto TCP (6), length 40)

my.mcgarrybowen.com.smtp > c190216197-18.static.impsat.com.co.64085: tcp 0

0x0000: 4500 0028 4032 4000 4006 6798 ac10 630a E..(@2@.@.g...c.

0x0010: bed8 c512 0019 fa55 d549 0675 ed94 6559 .......U.I.u..eY

0x0020: 5010 0073 f33f 0000 P..s.?..

11:24:31.937167 IP (tos 0x0, ttl 64, id 16435, offset 0, flags [DF], proto TCP (6), length 160)

my.mcgarrybowen.com.smtp > c190216197-18.static.impsat.com.co.64085: tcp 120

0x0000: 4500 00a0 4033 4000 4006 671f ac10 630a E...@3@.@.g...c.

0x0010: bed8 c512 0019 fa55 d549 0675 ed94 6559 .......U.I.u..eY

0x0020: 5018 0073 9398 0000 3235 3020 6d79 2e6d P..s....250.my.m

0x0030: 6367 6172 7279 626f 7765 6e2e 636f 6d20 cgarrybowen.com.

0x0040: 4865 6c6c 6f20 6331 3930 3231 3631 3937 Hello.c190216197

0x0050: 2d31 382e 7374 6174 6963 2e69 6d70 7361 -18.static.impsa

0x0060: 742e 636f 6d2e 636f 205b 3139 302e 3231 t.com.co.[190.21

0x0070: 362e 3139 372e 3138 5d20 286d 6179 2062 6.197.18].(may.b

0x0080: 6520 666f 7267 6564 292c 2070 6c65 6173 e.forged),.pleas

0x0090: 6564 2074 6f20 6d65 6574 2079 6f75 0d0a ed.to.meet.you..

11:24:32.045284 IP (tos 0x0, ttl 107, id 9838, offset 0, flags [DF], proto TCP (6), length 52)

c190216197-18.static.impsat.com.co.64085 > my.mcgarrybowen.com.smtp: tcp 12

0x0000: 4500 0034 266e 4000 6b06 5650 bed8 c512 E..4&n@.k.VP....

0x0010: ac10 630a fa55 0019 ed94 6559 d549 06ed ..c..U....eY.I..

0x0020: 5018 0200 959d 0000 4155 5448 204c 4f47 P.......AUTH.LOG

0x0030: 494e 0d0a IN..

11:24:32.045396 IP (tos 0x0, ttl 64, id 16436, offset 0, flags [DF], proto TCP (6), length 58)

my.mcgarrybowen.com.smtp > c190216197-18.static.impsat.com.co.64085: tcp 18

0x0000: 4500 003a 4034 4000 4006 6784 ac10 630a E..:@4@.@.g...c.

0x0010: bed8 c512 0019 fa55 d549 06ed ed94 6565 .......U.I....ee

0x0020: 5018 0073 9332 0000 3333 3420 5658 4e6c P..s.2..334.VXNl

0x0030: 636d 3568 6257 5536 0d0a cm5hbWU6..

11:24:32.155044 IP (tos 0x0, ttl 107, id 10102, offset 0, flags [DF], proto TCP (6), length 50)

c190216197-18.static.impsat.com.co.64085 > my.mcgarrybowen.com.smtp: tcp 10

0x0000: 4500 0032 2776 4000 6b06 554a bed8 c512 E..2'v@.k.UJ....

0x0010: ac10 630a fa55 0019 ed94 6565 d549 06ff ..c..U....ee.I..

0x0020: 5018 0200 8470 0000 5a33 4a76 646d 5679 P....p..Z3JvdmVy

0x0030: 0d0a ..

11:24:32.155157 IP (tos 0x0, ttl 64, id 16437, offset 0, flags [DF], proto TCP (6), length 58)

my.mcgarrybowen.com.smtp > c190216197-18.static.impsat.com.co.64085: tcp 18

0x0000: 4500 003a 4035 4000 4006 6783 ac10 630a E..:@5@.@.g...c.

0x0010: bed8 c512 0019 fa55 d549 06ff ed94 656f .......U.I....eo

0x0020: 5018 0073 9332 0000 3333 3420 5547 467a P..s.2..334.UGFz

0x0030: 6333 6476 636d 5136 0d0a c3dvcmQ6..

11:24:32.265812 IP (tos 0x0, ttl 107, id 10355, offset 0, flags [DF], proto TCP (6), length 50)

c190216197-18.static.impsat.com.co.64085 > my.mcgarrybowen.com.smtp: tcp 10

0x0000: 4500 0032 2873 4000 6b06 544d bed8 c512 E..2(s@.k.TM....

0x0010: ac10 630a fa55 0019 ed94 656f d549 0711 ..c..U....eo.I..

0x0020: 5018 0200 8454 0000 5a33 4a76 646d 5679 P....T..Z3JvdmVy

0x0030: 0d0a ..

11:24:32.266686 IP (tos 0x0, ttl 64, id 16438, offset 0, flags [DF], proto TCP (6), length 73)

my.mcgarrybowen.com.smtp > c190216197-18.static.impsat.com.co.64085: tcp 33

0x0000: 4500 0049 4036 4000 4006 6773 ac10 630a E..I@6@.@.gs..c.

0x0010: bed8 c512 0019 fa55 d549 0711 ed94 6579 .......U.I....ey

0x0020: 5018 0073 9341 0000 3533 3520 352e 372e P..s.A..535.5.7.

0x0030: 3020 6175 7468 656e 7469 6361 7469 6f6e 0.authentication

0x0040: 2066 6169 6c65 640d 0a .failed..

11:24:32.375193 IP (tos 0x0, ttl 107, id 10579, offset 0, flags [DF], proto TCP (6), length 46)

c190216197-18.static.impsat.com.co.64085 > my.mcgarrybowen.com.smtp: tcp 6

0x0000: 4500 002e 2953 4000 6b06 5371 bed8 c512 E...)S@.k.Sq....

0x0010: ac10 630a fa55 0019 ed94 6579 d549 0732 ..c..U....ey.I.2

0x0020: 5018 0200 4914 0000 5155 4954 0d0a P...I...QUIT..

11:24:32.375292 IP (tos 0x0, ttl 64, id 16439, offset 0, flags [DF], proto TCP (6), length 90)

my.mcgarrybowen.com.smtp > c190216197-18.static.impsat.com.co.64085: tcp 50

0x0000: 4500 005a 4037 4000 4006 6761 ac10 630a E..Z@7@.@.ga..c.

0x0010: bed8 c512 0019 fa55 d549 0732 ed94 657f .......U.I.2..e.

0x0020: 5018 0073 9352 0000 3232 3120 322e 302e P..s.R..221.2.0.

0x0030: 3020 6d79 2e6d 6367 6172 7279 626f 7765 0.my.mcgarrybowe

0x0040: 6e2e 636f 6d20 636c 6f73 696e 6720 636f n.com.closing.co

0x0050: 6e6e 6563 7469 6f6e 0d0a nnection..

11:24:32.375325 IP (tos 0x0, ttl 64, id 16440, offset 0, flags [DF], proto TCP (6), length 40)

my.mcgarrybowen.com.smtp > c190216197-18.static.impsat.com.co.64085: tcp 0

0x0000: 4500 0028 4038 4000 4006 6792 ac10 630a E..(@8@.@.g...c.

0x0010: bed8 c512 0019 fa55 d549 0764 ed94 657f .......U.I.d..e.

0x0020: 5011 0073 f229 0000 P..s.)..

11:24:32.462021 IP (tos 0x0, ttl 107, id 10765, offset 0, flags [DF], proto TCP (6), length 40)

c190216197-18.static.impsat.com.co.64085 > my.mcgarrybowen.com.smtp: tcp 0

0x0000: 4500 0028 2a0d 4000 6b06 52bd bed8 c512 E..(*.@.k.R.....

0x0010: ac10 630a fa55 0019 ed94 657f d549 0765 ..c..U....e..I.e

0x0020: 5010 0200 f09c 0000 0000 0000 0000 P.............

11:24:32.484084 IP (tos 0x0, ttl 107, id 10808, offset 0, flags [DF], proto TCP (6), length 40)

c190216197-18.static.impsat.com.co.64085 > my.mcgarrybowen.com.smtp: tcp 0

0x0000: 4500 0028 2a38 4000 6b06 5292 bed8 c512 E..(*8@.k.R.....

0x0010: ac10 630a fa55 0019 ed94 657f d549 0765 ..c..U....e..I.e

0x0020: 5011 0200 f09b 0000 0000 0000 0000 P.............

11:24:32.484091 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)

my.mcgarrybowen.com.smtp > c190216197-18.static.impsat.com.co.64085: tcp 0

0x0000: 4500 0028 0000 4000 4006 a7ca ac10 630a E..(..@.@.....c.

0x0010: bed8 c512 0019 fa55 d549 0765 ed94 6580 .......U.I.e..e.

0x0020: 5010 0073 f228 0000 P..s.(..
AIDAN

Replied on April 20, 2017 at 12:51 PM

Please accept my apologies for the trouble.

I am escalating this so that our developers can look into it. You will be notified of any progress via this thread.
MBLicenseManager

Replied on April 27, 2017 at 1:57 PM

Any headway on this?

Thanks,

--Mike
AIDAN

Replied on April 27, 2017 at 2:58 PM

Please note that the issue is assigned a developer and has an important priority. We will be informed of any update via the thread.

Thank you.
MBLicenseManager

Replied on May 9, 2017 at 10:10 AM

Any update on this?

Thanks,

--Mike C
David JotForm Support

Replied on May 9, 2017 at 11:14 AM

No updates on this as of yet. It is still assigned to a developer but since this is a unique question, it may take some time for an update. As soon as we have any further information, we will let you know.